Skip to content

Commit

Permalink
Merge pull request #128 from hashicorp/johnlanda/vault-22973
Browse files Browse the repository at this point in the history
Add support for multiple JWKS urls
  • Loading branch information
johnlanda authored Feb 6, 2024
2 parents 1d58e0e + 6ee096b commit c782f1d
Show file tree
Hide file tree
Showing 2 changed files with 1,017 additions and 16 deletions.
38 changes: 29 additions & 9 deletions jwt/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,27 @@ import (
const DefaultLeewaySeconds = 150

// Validator validates JSON Web Tokens (JWT) by providing signature
// verification and claims set validation.
// verification and claims set validation. Validator can contain either
// a single or multiple KeySets and will attempt to verify the JWT by iterating
// through the configured KeySets.
type Validator struct {
keySet KeySet
keySets []KeySet
}

// NewValidator returns a Validator that uses the given KeySet to verify JWT signatures.
func NewValidator(keySet KeySet) (*Validator, error) {
if keySet == nil {
return nil, errors.New("keySet must not be nil")
func NewValidator(keySets ...KeySet) (*Validator, error) {
if len(keySets) <= 0 {
return nil, errors.New("must provide at least one key set")
}

for _, keySet := range keySets {
if keySet == nil {
return nil, errors.New("keySet must not be nil")
}
}

return &Validator{
keySet: keySet,
keySets: keySets,
}, nil
}

Expand Down Expand Up @@ -116,9 +124,21 @@ func (v *Validator) ValidateAllowMissingIatNbfExp(ctx context.Context, token str
}

func (v *Validator) validateAll(ctx context.Context, token string, expected Expected, allowMissingIatExpNbf bool) (map[string]interface{}, error) {
// First, verify the signature to ensure subsequent validation is against verified claims
allClaims, err := v.keySet.VerifySignature(ctx, token)
if err != nil {
var allClaims map[string]interface{}
var err error

// Ensure that the token is signed by at least one of the given key sets
var tokenVerified bool
for _, keySet := range v.keySets {
// First, verify the signature to ensure subsequent validation is against verified claims
allClaims, err = keySet.VerifySignature(ctx, token)
if err == nil {
tokenVerified = true
break
}
}

if !tokenVerified {
return nil, fmt.Errorf("error verifying token signature: %w", err)
}

Expand Down
Loading

0 comments on commit c782f1d

Please sign in to comment.